eSkimming is on the rise, preying on the rapid acceleration in eCommerce arising from the COVID-19 pandemic.

eCommerce merchants in Asia Pacific are optimistic about the upcoming festive shopping season, preparing for peak online shopping events such as 11.11, Black Friday, Cyber Monday and 12.12.

While eCommerce activities have rapidly accelerated in the region due to the global pandemic, eSkimming malware attacks are also on the rise and becoming more sophisticated — a cause for concern as we continue to navigate an increasingly digital world in our daily lives.

The threat of such eSkimming malware attacks looms larger, in light of the peak festive shopping season.

Last year, Visa’s Payment Fraud Disruption (PFD) team discovered a piece of malware and named it ‘Pipka’, an industry-first in its capability as a JavaScript skimmer to remove itself completely from detection. And more recently, just last month, the team issued a security alert that it has identified a new eCommerce skimmer named ‘Baka, which was able to avoid traditional malware detection methods — indicating that it was created by a skilled developer.

Using Visa’s eCommerce Threat Disruption (eTD) capability, which analyses and detects threats targeting eCommerce merchants, the PFD team was able to identify Baka on several merchant websites across multiple global regions. Where consumers shifted during COVID-19, eCommerce fraud and attacks followed.

David Capezza, Senior Director of Payment Systems Intelligence, Visa

CybersecAsia discuss the latest ePayment threats – and solutions and best practices to mitigate them – with David Capezza, Senior Director of Payment Systems Intelligence, Visa.

Given recent changes in consumer habits and preferences, how has malware and security threats in the payments and eCommerce evolved in recent years? How will they continue to evolve?

Capezza: There has been a steady increase of cyber-threats targeting eCommerce websites over the last 5 years. eCommerce skimming malware has matured from simple form stealers, to complete kits that include all of the tools needed to commit an attack start to finish. As the malware kits continue to mature, we anticipate the authors will offer complete software-as-a-service solutions. Visa Payment Systems Intelligence has analysed this malware evolution over time, highlighting new malware variants, including Pipka and Baka

How is Baka different from other eCommerce skimmers that were previously discovered? What threat does it pose to eCommerce merchants in Asia Pacific and around the world? 

Capezza: Most notably, Baka is different for the secure method in which it requests and loads its malicious payload. The malware is uniquely encrypted each time it is loaded, making analysis more difficult. There are also multiple anti-forensic countermeasures to further frustrate security analysts.

Baka poses a similar threat to other common eCommerce skimming malware families. These skimming malwares all steal payment data from consumers during checkout. Baka’s skimming script is more difficult to capture and analyze, but can be found just as easily as any other eCommerce malware by monitoring and alerting on unauthorised changes to the content of your eCommerce website.  Visa is able to monitor for malware variants daily, using capabilities such as eCommerce Threat Disruption.

How does Visa PFD support issuers, processers and merchants in proactively detecting, disrupting and mitigating malware and other security threats?

Capezza: Visa Payment Fraud Disruption (PFD) developed the eCommerce Threat Disruption capability to quickly identify threats to eCommerce merchants. This enables us to disrupt the threats before fraud occurs, and to facilitate the remediation of eCommerce merchant compromises as quickly as possible.

This capability, currently provided at no cost to the ecosystem and benefiting all eCommerce merchants, aims to provide a safer and more robust security payments ecosystem for the issuer, the acquirer, and most importantly, the cardholder. 

Visa’s eCommerce Threat Disruption uses patent-pending technology and investigation techniques to proactively identify compromises in the eCommerce environment. By analysing merchant websites for malicious payment data-skimming malware, Visa is able to identify a potential compromise and provide guidance on how to remove the malware, thereby limiting the amount of time a merchant is compromised, and the window of exposure where payment data is at risk.

In one case, eCommerce Threat Disruption’s early detection was able to save as much as US$141 million, due to the ability to quickly identify and disrupt an eCommerce threat to an online service provider.

For eCommerce players, what constitutes a robust security strategy? 

Capezza: In September 2020, Visa PFD released a report titled Website Security for eCommerce Merchants, which provides a detailed overview of the layered security strategy that eCommerce merchants can take to secure their payment environment. This includes keeping all your software up-to-date, enforcing strong authentication for users, encrypting and protecting your login pages, using a secure and PCI-compliant hosting provider, keeping your website clean, backing up your data, scanning your website for vulnerabilities, monitoring your website, and securing payment account data.

In light of the upcoming festive shopping season, what best practices can eCommerce players use to mitigate cybersecurity threats? What solutions are currently available?

Capezza: We would recommend that any stakeholder operating a payment environment now and during the upcoming peak sales season review the recommendations in the Website Security for eCommerce Merchants report.  Additionally, eCommerce merchants, acquirers, and other payment facilitators can stay up to speed on the latest in eCommerce Payment Intelligence by visiting the Visa Merchant Library.